Computer-implemented enterprise systems (e.g., enterprise resource planning (ERP) systems, customer relationship management (CRM) systems) can be required to enforce a variety of different and complex security policies. If an enterprise operates in regulated sectors (e.g., healthcare, financial), for example, the enterprise may be required to prove that its information technology (IT) systems comply with applicable regulations.
In some cases, these complex security and compliance policies change frequently. This can result in frequent, unintended violations of policies. For example, a policy can change and users that had been permitted to access particular resources are no longer permitted to access the resources. A user may be unaware of, or forgotten the policy change, and may attempt to access the resources, resulting in a policy violation. Further, an increasing number of enterprise systems use more flexible approaches for access control (e.g., break-glass access control) that allows users (in a controlled manner) to override access control restrictions.
Both trends result in an increased need for effective and efficient mechanisms for the post-hoc audit of access control violations. That is, during an audit, an auditor must dig through numerous logged accesses, which could indicate a policy violation, and filter out incidents caused by changes in security policies and/or inaccurate or outdated policies. This can be time and resource intensive.